CODEWITHSUNDEEP
javajwtrsa
AVI
AVI

Reputation: 348

JWT[ RSA ], api owner shared private key

SO I have to write a Rest client for an integration we are working on with one of our client.

They gave us a private key and told us to create a JWT of the json payload. Key:

"-----BEGIN RSA PRIVATE KEY-----\nYYYYYYYYYYYYYYYYYYYYYYYYYYYYY edited ..YYYYY==\n---

--END RSA PRIVATE KEY-----\n"

Question: Is it correct to share private key, is there any java example I can use to create JWT using RSA?

Courtesy - https://wstutorial.com/misc/jwt-java-public-key-rsa.html

public String generateJwtToken(PrivateKey privateKey) {
        String token = Jwts.builder().setSubject("adam")
                .setExpiration(new Date(2018, 1, 1))
                .setIssuer("[email protected]")
                .claim("groups", new String[] { "user", "admin" })
                // RS256 with privateKey
                .signWith(SignatureAlgorithm.RS256, privateKey).compact();
        return token;
    }

Upvotes: 1

Views: 432

Answers (3)

maronesamir
maronesamir

Reputation: 26

better late than never

It’s generally a bad idea to share private key. But let's assume you own the private key and you want to use it instead to generate a Keypair each time.

Here an example how to use an existing private key, which is stored in P12 file.

@Test
public void readP12() {
    char[] keyStorePassword = "1234567890".toCharArray();
    try {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        InputStream keyStoreData = new FileInputStream(LOCATION + "\\keystore.p12");
        keyStore.load(keyStoreData, keyStorePassword);

        KeyStore.ProtectionParameter entryPassword = new KeyStore.PasswordProtection(keyStorePassword);
        KeyStore.Entry keyEntry = keyStore.getEntry("1", entryPassword);

        KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry)
                keyStore.getEntry("1", entryPassword);
        PrivateKey privateKey = privateKeyEntry.getPrivateKey();
        PublicKey publicKey = privateKeyEntry.getCertificate().getPublicKey();

        String token = generateJwtToken(privateKey);
        System.out.println(token);
        printStructure(token, publicKey);
    } catch (Exception e) {
      // tbd
    }
}

You can see how to save private key in p12 file

Upvotes: 1

jps
jps

Reputation: 22555

No, it's not correct to share a private key. Never. It's called private for a reason.

It is also not correct to create a token on client side.

The only correct thing here is, that you would need the private key to sign the token, but that's not the task of the client. It defeats the whole purpose of a JWT, because you could write into it (e.g. roles, expiration time), whatever you want. It seems the API owner trusts you, and probably it's an API that is not public, but anyway, I would recommend to do it in the right way. They should implement an endpoint to request a token.

Usage examples can usually be found on the websites of the jwt libraries.

Upvotes: 3

Christophe L
Christophe L

Reputation: 14035

RSA keys are public / private key pairs. The private key can be used for signing JWTs, and the public key can be used to verify the signature of those JWTs.

The private key should not be shared with anyone. Doing so would allow random people to access your client API.

I've had good experience using Nimbus to sign JWT with RSA. You can see some examples here: https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-rsa-signature.

Upvotes: 2

Related Questions